About the cover There are eight pendulums on the cover. Each pendulum represents one of the new patterns in the DBIR. The weight of the pendulum represents how often the pattern occurs. The length of the pendulum is how often they are breaches, as opposed to simply incidents. Just like in security, it’s difficult to predict where they’ll be in the future. Table of contents 01 03 05 DBIR Master’s Guide 4 Incident Classification Patterns 29 SMB 88 Introduction 6 Denial of Service 35 Diving back into SMB breaches 89 Summary of findings 7 Lost and Stolen Assets 41 Miscellaneous Errors 43 Privilege Misuse 46 06 02 Social Engineering 49 Regions 91 Results and Analysis 8 System Intrusion 54 Introduction to Regions 92 Actor 12 Basic Web Application Attacks 58 Asia Pacific (APAC) 93 Action 15 Everything Else 62 Europe, Middle East and Africa (EMEA) 95 Assets 19 Northern America (NA) 97 Attribute 22 Timeline 24 04 Impact 25 Industries 64 07 Introduction to industries 65 Wrap-up 100 Accommodation and Food Services 69 Year in review 102 Arts, Entertainment and Recreation 71 Educational Services 73 Financial and Insurance 75 08 Healthcare 76 Appendices 105 Information 77 Appendix A: Methodology 106 Manufacturing 79 Appendix B: Controls 110 Mining, Quarrying, and Oil & Gas Extraction + Utilities 81 Appendix C: U.S. Secret Service 113 Professional, Scientific Appendix D: Contributing organizations 115 and Technical Services 82 Public Administration 84 Retail 86 2021 DBIR Table of contents 3 01 DBIR Master’s Guide Hello first-time reader, and Variety: More specific enumerations of welcome to the 2021 Data higher-level categories, e.g., classifying Industry labels the external “bad guy” as an organized We align with the North American Breach Investigations Report criminal group or recording a Hacking Industry Classification System (NAICS) (DBIR). We have been creating action as SQL injection or brute force. standard to categorize the victim this report for a while now, organizations in our corpus. The and we appreciate that all the Learn more here: standard uses two- to six-digit codes to verbiage we use can be a bit classify businesses and organizations. obtuse at times. We use very • github.com/vz-risk/dbir/tree/ Our analysis is typically done at the gh-pages/2021 includes DBIR two-digit level and we will specify deliberate naming conventions, facts, figures and figure data terms and definitions and NAICS codes along with an industry • veriscommunity.net features label. For example, a chart with a label spend a lot of time making information on the framework with of Financial (52) is not indicative of 52 sure that we are consistent examples and enumeration listings as a value. “52” is the code for Finance and Insurance sector. The overall label throughout the report. • github.com/vz-risk/veris features of “Financial” is used for brevity within Hopefully this section will the full VERIS schema the figures. Detailed information on help make all of those • github.com/vz-risk/vcdb provides the codes and classification system is more familiar. access to our database of publicly available here: disclosed breaches, the VERIS Community Database https://www.census.gov/ naics/?58967?yearbck=2012 • http://veriscommunity.net/ veris_webapp_min.html allows you VERIS resources to record your own incidents and breaches. Don’t fret, it saves any The terms “action,” “threat actor” and Being confident of our data “variety” will be referenced often. data locally and you only share These are part of the Vocabulary for what you want Starting in 2019 with slanted bar Event Recording and Incident Sharing charts, the DBIR has tried to make the (VERIS), a framework designed to allow point that the only certain thing about for a consistent, unequivocal collection information security is that nothing is of security incident details. Here is how Incident vs. breach certain. Even with all the data we have, they should be interpreted: We talk at length about incidents and we’ll never know anything exactly. breaches and we use the following However, instead of throwing our hands Threat actor: Who is behind the event? definitions: up and complaining that it is impossible This could be the external “bad guy” to measure anything in a data-poor environment, or worse, simply making who launches a phishing campaign Incident: A security event that stuff up, we get to work. This year or an employee who leaves sensitive compromises the integrity, we continue to represent uncertainty documents in their seat back pocket. confidentiality or availability of throughout the report figures. an information asset. Action: What tactics (actions) were used to affect an asset? VERIS Breach: An incident that results in uses seven primary categories of the confirmed disclosure—not just threat actions: Malware, Hacking, potential exposure—of data to an Social, Misuse, Physical, Error and unauthorized party. Environmental. Examples at a high level are hacking a server, installing malware or influencing human behavior through a social attack. 2021 DBIR Master’s Guide 4 Figures 1, 2, 3 and 4 all convey the range in Figure 3), each dot represents 0.5% of realities that could credibly be true. of organizations. This is a much better Credit where credit is due Whether it be the slant of the bar chart, way of understanding how something Turns out folks enjoy citing the report, the threads of the spaghetti chart, the is distributed among organizations and and we often get asked how they dots of the dot plot, or the color of the provides additional information than should go about doing it. violin chart, they all convey the uncertainty an average or a median. We added of our industry in their own special way. additional colors and callouts to make You are permitted to include statistics, these even more informative this year. figures and other information from The slant on the bar chart represents the the report, provided that you (a) cite uncertainty of that data point to a 95% Our newcomers this year are spaghetti the source as “Verizon 2021 Data confidence level (which is quite standard and violin charts. They attempt to capture Breach Investigations Report” and for statistical testing). In layman’s terms, if uncertainty in a similar way to slanted (b) that content is not modified in any the slants of two (or more) bars overlap, bar charts but are more suited for, way. Exact quotes are permitted but you can’t really say one is bigger than the respectively, data visualized over time and paraphrasing requires review. If you other without angering the math gods proportions of changes over a specific would like to provide people a copy (and their wrath is terrible). time period. For these charts, the darker of the report, we ask that you provide area is more likely to be the correct value. them a link to verizon.com/dbir/ rather Dot plots are also frequently used, and than the PDF. the trick to understanding this chart is Let us know what you think of them.1 We that the dots represent organizations. hope they make your journey through this For example, if there are 200 dots (like complex dataset a little less daunting. Questions? Comments? Upset there is no AR/VR version of 2 the DBIR? Let us know! Drop us a line at [email protected], find us on LinkedIn, tweet Figure 1. Example slanted bar chart (n=402) @VerizonBusiness with #dbir. Got a data question? Tweet @VZDBIR! Figure 3. Example dot plot (n=672) Each dot represents 0.5% of organizations Figure 2. Example spaghetti chart Figure 4. Example violin chart (n=581) 1 But only if you like them. Our figures guy is really thin skinned. 2 We REALLY want to make it happen! 2021 DBIR Master’s Guide 5 Introduction Greetings! Welcome to the 2021 Data possible than we might imagine. What Breach Investigations Report (DBIR)! is impossible is to accurately predict We always appreciate you, our readers, what those things might be. Therefore, but this year we would like to say thank we will not meddle with words like you for just showing up. Thanks for “possible,” but will confine ourselves simply making it through the often to what is “probable.” frightening and always unpredictable dystopian wasteland that was 2020, This year we analyzed 79,635 and still having enough interest and incidents, of which 29,207 met our energy to care about making the world quality standards and 5,258 were a safer place. By the time you read this, confirmed data breaches, sampled it is devoutly to be hoped that we have from 88 countries around the world. moved on to a place of relative safety, Once again, we include breakouts somewhere beyond Thunderdome if for 11 of the main industries, the SMB you will. section, and we revisit the various geographic regions studied in the prior Recent events around the world have report to see how they fared over the been deemed by many to be sufficient last year. We also include our Center cause to re-evaluate their priorities. In for Internet Security (CIS) Controls® similar fashion, we have stepped back recommendation mapping, because and taken another look at what we have the world being unpredictable and been doing over the past few years. uncertain doesn’t mean your security This exercise led to a revamp of our strategy has to be. patterns, the creation of some shiny new ones and the recalibration of some As always, we wish to humbly say thank others. It is our hope that doing this will you to our 83 contributors, both old and increase awareness of where possible new.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages119 Page
-
File Size-